730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000

General

Target

fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
Size

356KB
MD5

fd5f67b71543f0d0b620161bfcd1151c
SHA1

c8c938f4edbf3793b6c8b680b3474879c8185ed9
SHA256

730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000
SHA512

48a39c34c3247fa5a7ae9e4e2a1a5e254aca691a170b8d64dd211f67aad0e6841676120585b9839bbbbd6dc39484bf17e417e6d80e724f9129c716f6d411281c
SSDEEP

6144:7vbx8GUoAxgeWj2geARcUPuLrB3cp6FWw21EN:7NVAx2LULN3QEWwOk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2648	gTsei4KNX0Kr.exe

Executes dropped EXE 2 IoCs

pid	Process
2960	gTsei4KNX0Kr.exe
2648	gTsei4KNX0Kr.exe

Loads dropped DLL 5 IoCs

pid	Process
2912	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
2912	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
2912	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
2960	gTsei4KNX0Kr.exe
2648	gTsei4KNX0Kr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\mWFqTcPSebaUubiZ = "C:\\ProgramData\\E3IwONGj\\gTsei4KNX0Kr.exe"	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 2912	2864	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	28
PID 2960 set thread context of 2648	2960	gTsei4KNX0Kr.exe	30
PID 2648 set thread context of 2608	2648	gTsei4KNX0Kr.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2912	2864	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2912	2864	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2912	2864	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2912	2864	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2912	2864	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2912	2864	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2960	2912	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2960	2912	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2960	2912	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2960	2912	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	29
PID 2960 wrote to memory of 2648	2960	gTsei4KNX0Kr.exe	30
PID 2960 wrote to memory of 2648	2960	gTsei4KNX0Kr.exe	30
PID 2960 wrote to memory of 2648	2960	gTsei4KNX0Kr.exe	30
PID 2960 wrote to memory of 2648	2960	gTsei4KNX0Kr.exe	30
PID 2960 wrote to memory of 2648	2960	gTsei4KNX0Kr.exe	30
PID 2960 wrote to memory of 2648	2960	gTsei4KNX0Kr.exe	30
PID 2648 wrote to memory of 2608	2648	gTsei4KNX0Kr.exe	31
PID 2648 wrote to memory of 2608	2648	gTsei4KNX0Kr.exe	31
PID 2648 wrote to memory of 2608	2648	gTsei4KNX0Kr.exe	31
PID 2648 wrote to memory of 2608	2648	gTsei4KNX0Kr.exe	31
PID 2648 wrote to memory of 2608	2648	gTsei4KNX0Kr.exe	31
PID 2648 wrote to memory of 2608	2648	gTsei4KNX0Kr.exe	31

C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe
    "C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe
      "C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Program Files (x86)\Windows Sidebar\sidebar.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sidebar.exe" /i:2648
        5⤵
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe

Filesize
356KB

MD5
fd5f67b71543f0d0b620161bfcd1151c

SHA1
c8c938f4edbf3793b6c8b680b3474879c8185ed9

SHA256
730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000

SHA512
48a39c34c3247fa5a7ae9e4e2a1a5e254aca691a170b8d64dd211f67aad0e6841676120585b9839bbbbd6dc39484bf17e417e6d80e724f9129c716f6d411281c

Download Submit
memory/2608-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2608-51-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2608-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-52-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2864-7-0x0000000077130000-0x0000000077240000-memory.dmp

Filesize
1.1MB

Download
memory/2864-5-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2912-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2912-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2912-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2912-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2912-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2912-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2912-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-30-0x0000000077130000-0x0000000077240000-memory.dmp

Filesize
1.1MB

Download
memory/2960-36-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2960-39-0x0000000077130000-0x0000000077240000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads